Hosts are delegated authority over other hosts through the
host-add-managedby utility. This creates a
managedby entry. Once the
managedby entry is created, then the host can retrieve a keytab for the host over which it has delegated authority.
Log in as the admin user.
[root@server ~]# kinit admin
entry. For example, this delegates authority over client2 to client1
[root@server ~]# ipa host-add-managedby client2.example.com --hosts=client1.example.com
Obtain a ticket as the host
[root@client1 ~]# kinit -kt /etc/krb5.keytab host/client1.example.com
Retrieve a keytab for
[root@client1 ~]# ipa-getkeytab -s server.example.com -k /tmp/client2.keytab -p host/client2.example.com
Keytab successfully retrieved and stored in: /tmp/client2.keytab